MHDD Data Recovery & Forensics v15 - © 2009 MHDD 1 Hard Drive Kung Fu Magic MFT & File Based Imaging Data Recovery Forensics by Scott A. Moulton

MHDD Data Recovery & Forensics v15 - © 2009 MHDD 2 Disclaimer

MHDD Data Recovery & Forensics v15 - © 2009 MHDD 3 Imaging Traditional Method

MHDD Data Recovery & Forensics v15 - © 2009 MHDD 4 What did you miss? Time you could have been playing WOW, C&C, Insert Game of Choice! Small Files that exist in the MFT! Fragmented Files! Problems with Spares Files! And you may damaged the hard drive further reading every sector especially if those are not needed!

MHDD Data Recovery & Forensics v15 - © 2009 MHDD 5 The New Way MFT Imaging & File Based Imaging This allows you to recover based on selection allowing you to be more surgical in your recovery!

MHDD Data Recovery & Forensics v15 - © 2009 MHDD 6 MetaData & MFT Files

MHDD Data Recovery & Forensics v15 - © 2009 MHDD 7 NTFS Structure (1) From Microsoft.com

MHDD Data Recovery & Forensics v15 - © 2009 MHDD 8 NTFS Structure (2) From Microsoft.com

MHDD Data Recovery & Forensics v15 - © 2009 MHDD 9 Exported MFT Records

MHDD Data Recovery & Forensics v15 - © 2009 MHDD 10 Badly Fragmented Hard Drive

MHDD Data Recovery & Forensics v15 - © 2009 MHDD 11 Concepts Restore Just Those Files Image Sectors/Clusters Use Windows to Select Folders/Files Image $MFT and $Bitmap Locate/Select Partition Tables Image MBR

MHDD Data Recovery & Forensics v15 - © 2009 MHDD 12 DeepSpar Disk Imager

MHDD Data Recovery & Forensics v15 - © 2009 MHDD 13 DeepSpar Disk Imager MFT Imaging Demo

MHDD Data Recovery & Forensics v15 - © 2009 MHDD 14 END